@imtbl/auth-next-server 2.12.5-alpha.13

package/dist/node/index.d.ts

@@ -0,0 +1,301 @@
+/**
+ * @imtbl/auth-next-server
+ *
+ * Server-side utilities for Immutable Auth.js v5 integration with Next.js.
+ * This package has NO dependency on @imtbl/auth and is safe to use in
+ * Next.js middleware and Edge Runtime environments.
+ *
+ * For client-side components (provider, hooks, callback), use @imtbl/auth-next-client.
+ */
+import NextAuthImport from 'next-auth';
+import type { NextAuthConfig, Session } from 'next-auth';
+import { type NextRequest, NextResponse } from 'next/server';
+import type { ImmutableAuthConfig } from './types';
+declare const NextAuth: typeof NextAuthImport;
+/**
+ * Auth.js v5 config options that can be overridden.
+ * Excludes 'providers' as that's managed internally.
+ */
+export type ImmutableAuthOverrides = Omit<NextAuthConfig, 'providers'>;
+/**
+ * Return type of createImmutableAuth - the NextAuth instance with handlers
+ */
+export type ImmutableAuthResult = ReturnType<typeof NextAuth>;
+/**
+ * Create an Auth.js v5 instance with Immutable authentication
+ *
+ * @param config - Immutable auth configuration
+ * @param overrides - Optional Auth.js options to override defaults
+ * @returns NextAuth instance with { handlers, auth, signIn, signOut }
+ *
+ * @remarks
+ * Callback composition: The `jwt` and `session` callbacks are composed rather than
+ * replaced. Internal callbacks run first (handling token storage and refresh), then
+ * your custom callbacks receive the result. Other callbacks (`signIn`, `redirect`)
+ * are replaced entirely if provided.
+ *
+ * @example Basic usage (App Router)
+ * ```typescript
+ * // lib/auth.ts
+ * import { createImmutableAuth } from "@imtbl/auth-next-server";
+ *
+ * export const { handlers, auth, signIn, signOut } = createImmutableAuth({
+ *   clientId: process.env.NEXT_PUBLIC_IMMUTABLE_CLIENT_ID!,
+ *   redirectUri: `${process.env.NEXT_PUBLIC_BASE_URL}/callback`,
+ * });
+ *
+ * // app/api/auth/[...nextauth]/route.ts
+ * import { handlers } from "@/lib/auth";
+ * export const { GET, POST } = handlers;
+ * ```
+ */
+export declare function createImmutableAuth(config: ImmutableAuthConfig, overrides?: ImmutableAuthOverrides): ImmutableAuthResult;
+export { createAuthConfig, createAuthOptions } from './config';
+export type { ImmutableAuthConfig, ImmutableTokenData, UserInfoResponse, ZkEvmUser, ImmutableUser, } from './types';
+/**
+ * Result from getValidSession indicating auth state
+ */
+export type ValidSessionResult = {
+    status: 'authenticated';
+    session: Session;
+} | {
+    status: 'token_expired';
+    session: Session;
+} | {
+    status: 'unauthenticated';
+    session: null;
+} | {
+    status: 'error';
+    session: Session;
+    error: string;
+};
+/**
+ * Auth props to pass to components - enables automatic SSR/CSR switching.
+ * When token is valid, session contains accessToken for immediate use.
+ * When token is expired, ssr is false and component should fetch client-side.
+ */
+export interface AuthProps {
+    /** Session with valid tokens, or null if token expired/unauthenticated */
+    session: Session | null;
+    /** If true, SSR data fetching occurred with valid token */
+    ssr: boolean;
+    /** Auth error that requires user action (not TokenExpired) */
+    authError?: string;
+}
+/**
+ * Auth props with pre-fetched data for SSR hydration.
+ * Extends AuthProps with optional data that was fetched server-side.
+ */
+export interface AuthPropsWithData<T> extends AuthProps {
+    /** Pre-fetched data from server (null if SSR was skipped or fetch failed) */
+    data: T | null;
+    /** Error message if server-side fetch failed */
+    fetchError?: string;
+}
+/**
+ * Auth props without the authError field.
+ * Used when auth error handling is automatic via onAuthError callback.
+ */
+export interface ProtectedAuthProps {
+    /** Session with valid tokens, or null if token expired/unauthenticated */
+    session: Session | null;
+    /** If true, SSR data fetching occurred with valid token */
+    ssr: boolean;
+}
+/**
+ * Protected auth props with pre-fetched data.
+ * Used when auth error handling is automatic via onAuthError callback.
+ */
+export interface ProtectedAuthPropsWithData<T> extends ProtectedAuthProps {
+    /** Pre-fetched data from server (null if SSR was skipped or fetch failed) */
+    data: T | null;
+    /** Error message if server-side fetch failed */
+    fetchError?: string;
+}
+/**
+ * Type for the auth function returned by createImmutableAuth
+ */
+export type AuthFunction = () => Promise<Session | null>;
+/**
+ * Get auth props for passing to Client Components (without data fetching).
+ * Use this when you want to handle data fetching separately or client-side only.
+ *
+ * For SSR data fetching, use `getAuthenticatedData` instead.
+ *
+ * @param auth - The auth function from createImmutableAuth
+ * @returns AuthProps with session and ssr flag
+ *
+ * @example
+ * ```typescript
+ * const authProps = await getAuthProps(auth);
+ * if (authProps.authError) redirect("/login");
+ * return <MyComponent {...authProps} />;
+ * ```
+ */
+export declare function getAuthProps(auth: AuthFunction): Promise<AuthProps>;
+/**
+ * Fetch authenticated data on the server with automatic SSR/CSR switching.
+ *
+ * This is the recommended pattern for Server Components that need authenticated data:
+ * - When token is valid: Fetches data server-side, returns with `ssr: true`
+ * - When token is expired: Skips fetch, returns `ssr: false` for client-side handling
+ *
+ * @param auth - The auth function from createImmutableAuth
+ * @param fetcher - Async function that receives access token and returns data
+ * @returns AuthPropsWithData containing session, ssr flag, and pre-fetched data
+ */
+export declare function getAuthenticatedData<T>(auth: AuthFunction, fetcher: (accessToken: string) => Promise<T>): Promise<AuthPropsWithData<T>>;
+/**
+ * Get session with detailed status for Server Components.
+ * Use this when you need fine-grained control over different auth states.
+ *
+ * @param auth - The auth function from createImmutableAuth
+ * @returns Object with status and session
+ */
+export declare function getValidSession(auth: AuthFunction): Promise<ValidSessionResult>;
+/**
+ * Auth error handler signature.
+ * The handler should either redirect (using Next.js redirect()) or throw an error.
+ * It must never return normally - hence the `never` return type.
+ *
+ * @param error - The auth error (e.g., "RefreshTokenError")
+ */
+export type AuthErrorHandler = (error: string) => never;
+/**
+ * Create a protected data fetcher with automatic auth error handling.
+ *
+ * This eliminates the need to check `authError` on every page. Define the error
+ * handling once, and all pages using this fetcher will automatically redirect
+ * on auth errors.
+ *
+ * @param auth - The auth function from createImmutableAuth
+ * @param onAuthError - Handler called when there's an auth error (should redirect or throw)
+ * @returns A function to fetch protected data without needing authError checks
+ */
+export declare function createProtectedDataFetcher(auth: AuthFunction, onAuthError: AuthErrorHandler): <T>(fetcher: (accessToken: string) => Promise<T>) => Promise<ProtectedAuthPropsWithData<T>>;
+/**
+ * Create auth props getter with automatic auth error handling.
+ *
+ * Similar to createProtectedDataFetcher but for cases where you don't need
+ * server-side data fetching.
+ *
+ * @param auth - The auth function from createImmutableAuth
+ * @param onAuthError - Handler called when there's an auth error (should redirect or throw)
+ * @returns A function to get auth props without needing authError checks
+ */
+export declare function createProtectedAuthProps(auth: AuthFunction, onAuthError: AuthErrorHandler): () => Promise<ProtectedAuthProps>;
+/**
+ * Result of createProtectedFetchers
+ */
+export interface ProtectedFetchers {
+    /**
+     * Get auth props with automatic auth error handling.
+     * No data fetching - use when you only need session/auth state.
+     */
+    getAuthProps: () => Promise<ProtectedAuthProps>;
+    /**
+     * Fetch authenticated data with automatic auth error handling.
+     * Use for SSR data fetching with automatic fallback.
+     */
+    getData: <T>(fetcher: (accessToken: string) => Promise<T>) => Promise<ProtectedAuthPropsWithData<T>>;
+}
+/**
+ * Create protected fetchers with centralized auth error handling.
+ *
+ * This is the recommended way to set up auth error handling once and use it
+ * across all protected pages. Define your error handler once, then use the
+ * returned functions without needing to check authError on each page.
+ *
+ * @param auth - The auth function from createImmutableAuth
+ * @param onAuthError - Handler called when there's an auth error (should redirect or throw)
+ * @returns Object with getAuthProps and getData functions
+ */
+export declare function createProtectedFetchers(auth: AuthFunction, onAuthError: AuthErrorHandler): ProtectedFetchers;
+/**
+ * Options for withServerAuth
+ */
+export interface WithServerAuthOptions<TFallback> {
+    /**
+     * Content to render when token is expired.
+     * This should typically be a Client Component that will refresh tokens and fetch data.
+     * If not provided, the serverRender function will still be called with the expired session.
+     */
+    onTokenExpired?: TFallback | (() => TFallback);
+    /**
+     * Content to render when user is not authenticated at all.
+     * If not provided, throws an error.
+     */
+    onUnauthenticated?: TFallback | (() => TFallback);
+    /**
+     * Content to render when there's an auth error (e.g., refresh token invalid).
+     * If not provided, throws an error.
+     */
+    onError?: TFallback | ((error: string) => TFallback);
+}
+/**
+ * Helper for Server Components that need authenticated data.
+ * Automatically handles token expiration by rendering a client fallback.
+ *
+ * @param auth - The auth function from createImmutableAuth
+ * @param serverRender - Async function that receives valid session and returns JSX
+ * @param options - Fallback options for different auth states
+ * @returns The rendered content based on auth state
+ */
+export declare function withServerAuth<TResult, TFallback = TResult>(auth: AuthFunction, serverRender: (session: Session) => Promise<TResult>, options?: WithServerAuthOptions<TFallback>): Promise<TResult | TFallback>;
+/**
+ * Options for createAuthMiddleware
+ */
+export interface AuthMiddlewareOptions {
+    /**
+     * URL to redirect to when not authenticated
+     * @default "/login"
+     */
+    loginUrl?: string;
+    /**
+     * Paths that should be protected (regex patterns)
+     * If not provided, middleware should be configured via Next.js matcher
+     */
+    protectedPaths?: (string | RegExp)[];
+    /**
+     * Paths that should be excluded from protection (regex patterns)
+     * Takes precedence over protectedPaths
+     */
+    publicPaths?: (string | RegExp)[];
+}
+/**
+ * Create a Next.js middleware for protecting routes with Immutable authentication.
+ *
+ * This is the App Router replacement for `withPageAuthRequired`.
+ *
+ * @param auth - The auth function from createImmutableAuth
+ * @param options - Middleware options
+ * @returns A Next.js middleware function
+ *
+ * @example Basic usage with Next.js middleware:
+ * ```typescript
+ * // middleware.ts
+ * import { createAuthMiddleware } from "@imtbl/auth-next-server";
+ * import { auth } from "@/lib/auth";
+ *
+ * export default createAuthMiddleware(auth, {
+ *   loginUrl: "/login",
+ * });
+ *
+ * export const config = {
+ *   matcher: ["/dashboard/:path*", "/profile/:path*"],
+ * };
+ * ```
+ */
+export declare function createAuthMiddleware(auth: AuthFunction, options?: AuthMiddlewareOptions): (request: NextRequest) => Promise<NextResponse<unknown>>;
+/**
+ * Higher-order function to protect a Server Action or Route Handler.
+ *
+ * The returned function forwards all arguments from Next.js to your handler,
+ * allowing access to the request, context, form data, or any other arguments.
+ *
+ * @param auth - The auth function from createImmutableAuth
+ * @param handler - The handler function to protect. Receives session as first arg,
+ *                  followed by any arguments passed by Next.js (request, context, etc.)
+ * @returns A protected handler that checks authentication before executing
+ */
+export declare function withAuth<TArgs extends unknown[], TReturn>(auth: AuthFunction, handler: (session: Session, ...args: TArgs) => Promise<TReturn>): (...args: TArgs) => Promise<TReturn>;

package/dist/node/index.js

@@ -0,0 +1,390 @@
+// src/index.ts
+import NextAuthImport from "next-auth";
+import { NextResponse } from "next/server";
+
+// src/config.ts
+import CredentialsImport from "next-auth/providers/credentials";
+
+// src/constants.ts
+var DEFAULT_AUTH_DOMAIN = "https://auth.immutable.com";
+var IMMUTABLE_PROVIDER_ID = "immutable";
+var DEFAULT_TOKEN_EXPIRY_SECONDS = 900;
+var DEFAULT_TOKEN_EXPIRY_MS = DEFAULT_TOKEN_EXPIRY_SECONDS * 1e3;
+var TOKEN_EXPIRY_BUFFER_SECONDS = 60;
+var DEFAULT_SESSION_MAX_AGE_SECONDS = 365 * 24 * 60 * 60;
+
+// src/refresh.ts
+function isTokenExpired(accessTokenExpires, bufferSeconds = TOKEN_EXPIRY_BUFFER_SECONDS) {
+  if (typeof accessTokenExpires !== "number" || Number.isNaN(accessTokenExpires)) {
+    return true;
+  }
+  return Date.now() >= accessTokenExpires - bufferSeconds * 1e3;
+}
+
+// src/config.ts
+var Credentials = CredentialsImport.default || CredentialsImport;
+async function validateTokens(accessToken, authDomain) {
+  try {
+    const response = await fetch(`${authDomain}/userinfo`, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${accessToken}`
+      }
+    });
+    if (!response.ok) {
+      console.error("[auth-next-server] Token validation failed:", response.status, response.statusText);
+      return null;
+    }
+    return await response.json();
+  } catch (error) {
+    console.error("[auth-next-server] Token validation error:", error);
+    return null;
+  }
+}
+function createAuthConfig(config) {
+  const authDomain = config.authenticationDomain || DEFAULT_AUTH_DOMAIN;
+  return {
+    providers: [
+      Credentials({
+        id: IMMUTABLE_PROVIDER_ID,
+        name: "Immutable",
+        credentials: {
+          tokens: { label: "Tokens", type: "text" }
+        },
+        async authorize(credentials) {
+          if (!credentials?.tokens || typeof credentials.tokens !== "string") {
+            return null;
+          }
+          let tokenData;
+          try {
+            tokenData = JSON.parse(credentials.tokens);
+          } catch (error) {
+            console.error("[auth-next-server] Failed to parse token data:", error);
+            return null;
+          }
+          if (!tokenData.accessToken || typeof tokenData.accessToken !== "string" || !tokenData.profile || typeof tokenData.profile !== "object" || !tokenData.profile.sub || typeof tokenData.profile.sub !== "string" || typeof tokenData.accessTokenExpires !== "number" || Number.isNaN(tokenData.accessTokenExpires)) {
+            console.error("[auth-next-server] Invalid token data structure - missing required fields");
+            return null;
+          }
+          const userInfo = await validateTokens(tokenData.accessToken, authDomain);
+          if (!userInfo) {
+            console.error("[auth-next-server] Token validation failed - rejecting authentication");
+            return null;
+          }
+          if (userInfo.sub !== tokenData.profile.sub) {
+            console.error(
+              "[auth-next-server] User ID mismatch - userinfo sub:",
+              userInfo.sub,
+              "provided sub:",
+              tokenData.profile.sub
+            );
+            return null;
+          }
+          return {
+            id: userInfo.sub,
+            sub: userInfo.sub,
+            email: userInfo.email ?? tokenData.profile.email,
+            nickname: userInfo.nickname ?? tokenData.profile.nickname,
+            accessToken: tokenData.accessToken,
+            refreshToken: tokenData.refreshToken,
+            idToken: tokenData.idToken,
+            accessTokenExpires: tokenData.accessTokenExpires,
+            zkEvm: tokenData.zkEvm
+          };
+        }
+      })
+    ],
+    callbacks: {
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      async jwt({
+        token,
+        user,
+        trigger,
+        session: sessionUpdate
+      }) {
+        if (user) {
+          return {
+            ...token,
+            sub: user.sub,
+            email: user.email,
+            nickname: user.nickname,
+            accessToken: user.accessToken,
+            refreshToken: user.refreshToken,
+            idToken: user.idToken,
+            accessTokenExpires: user.accessTokenExpires,
+            zkEvm: user.zkEvm
+          };
+        }
+        if (trigger === "update" && sessionUpdate) {
+          const update = sessionUpdate;
+          return {
+            ...token,
+            ...update.accessToken ? { accessToken: update.accessToken } : {},
+            ...update.refreshToken ? { refreshToken: update.refreshToken } : {},
+            ...update.idToken ? { idToken: update.idToken } : {},
+            ...update.accessTokenExpires ? { accessTokenExpires: update.accessTokenExpires } : {},
+            ...update.zkEvm ? { zkEvm: update.zkEvm } : {},
+            // Clear any stale error when valid tokens are synced from client-side
+            error: void 0
+          };
+        }
+        if (!isTokenExpired(token.accessTokenExpires)) {
+          return token;
+        }
+        return {
+          ...token,
+          error: "TokenExpired"
+        };
+      },
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      async session({ session, token }) {
+        return {
+          ...session,
+          user: {
+            ...session.user,
+            sub: token.sub,
+            email: token.email,
+            nickname: token.nickname
+          },
+          accessToken: token.accessToken,
+          refreshToken: token.refreshToken,
+          idToken: token.idToken,
+          accessTokenExpires: token.accessTokenExpires,
+          zkEvm: token.zkEvm,
+          ...token.error && { error: token.error }
+        };
+      }
+    },
+    session: {
+      strategy: "jwt",
+      // Session max age in seconds (365 days default)
+      maxAge: DEFAULT_SESSION_MAX_AGE_SECONDS
+    }
+  };
+}
+var createAuthOptions = createAuthConfig;
+
+// src/utils/pathMatch.ts
+function matchPathPrefix(pathname, pattern) {
+  if (pathname === pattern) return true;
+  const prefix = pattern.endsWith("/") ? pattern : `${pattern}/`;
+  return pathname.startsWith(prefix);
+}
+
+// src/index.ts
+var NextAuth = NextAuthImport.default || NextAuthImport;
+function createImmutableAuth(config, overrides) {
+  const baseConfig = createAuthConfig(config);
+  if (!overrides) {
+    return NextAuth(baseConfig);
+  }
+  const { callbacks: overrideCallbacks, ...otherOverrides } = overrides;
+  const composedCallbacks = { ...baseConfig.callbacks };
+  if (overrideCallbacks) {
+    if (overrideCallbacks.jwt) {
+      const baseJwt = baseConfig.callbacks?.jwt;
+      const userJwt = overrideCallbacks.jwt;
+      composedCallbacks.jwt = async (params) => {
+        const result = baseJwt ? await baseJwt(params) : params.token;
+        return userJwt({ ...params, token: result });
+      };
+    }
+    if (overrideCallbacks.session) {
+      const baseSession = baseConfig.callbacks?.session;
+      const userSession = overrideCallbacks.session;
+      composedCallbacks.session = async (params) => {
+        const result = baseSession ? await baseSession(params) : params.session;
+        return userSession({ ...params, session: result });
+      };
+    }
+    if (overrideCallbacks.signIn) {
+      composedCallbacks.signIn = overrideCallbacks.signIn;
+    }
+    if (overrideCallbacks.redirect) {
+      composedCallbacks.redirect = overrideCallbacks.redirect;
+    }
+    if (overrideCallbacks.authorized) {
+      composedCallbacks.authorized = overrideCallbacks.authorized;
+    }
+  }
+  const mergedConfig = {
+    ...baseConfig,
+    ...otherOverrides,
+    callbacks: composedCallbacks
+  };
+  return NextAuth(mergedConfig);
+}
+async function getAuthProps(auth) {
+  const session = await auth();
+  if (!session) {
+    return { session: null, ssr: false };
+  }
+  if (session.error === "TokenExpired") {
+    return { session: null, ssr: false };
+  }
+  if (session.error) {
+    return { session: null, ssr: false, authError: session.error };
+  }
+  return { session, ssr: true };
+}
+async function getAuthenticatedData(auth, fetcher) {
+  const session = await auth();
+  if (!session) {
+    return { session: null, ssr: false, data: null };
+  }
+  if (session.error === "TokenExpired") {
+    return { session: null, ssr: false, data: null };
+  }
+  if (session.error) {
+    return {
+      session: null,
+      ssr: false,
+      data: null,
+      authError: session.error
+    };
+  }
+  try {
+    const data = await fetcher(session.accessToken);
+    return { session, ssr: true, data };
+  } catch (err) {
+    const errorMessage = err instanceof Error ? err.message : String(err);
+    return {
+      session,
+      ssr: true,
+      data: null,
+      fetchError: errorMessage
+    };
+  }
+}
+async function getValidSession(auth) {
+  const session = await auth();
+  if (!session) {
+    return { status: "unauthenticated", session: null };
+  }
+  if (!session.error) {
+    return { status: "authenticated", session };
+  }
+  if (session.error === "TokenExpired") {
+    return { status: "token_expired", session };
+  }
+  return { status: "error", session, error: session.error };
+}
+function createProtectedDataFetcher(auth, onAuthError) {
+  return async function getProtectedData(fetcher) {
+    const result = await getAuthenticatedData(auth, fetcher);
+    if (result.authError) {
+      onAuthError(result.authError);
+    }
+    const { authError: handledAuthError, ...props } = result;
+    return props;
+  };
+}
+function createProtectedAuthProps(auth, onAuthError) {
+  return async function getProtectedAuth() {
+    const result = await getAuthProps(auth);
+    if (result.authError) {
+      onAuthError(result.authError);
+    }
+    const { authError: handledAuthError, ...props } = result;
+    return props;
+  };
+}
+function createProtectedFetchers(auth, onAuthError) {
+  return {
+    getAuthProps: createProtectedAuthProps(auth, onAuthError),
+    getData: createProtectedDataFetcher(auth, onAuthError)
+  };
+}
+async function withServerAuth(auth, serverRender, options = {}) {
+  const result = await getValidSession(auth);
+  switch (result.status) {
+    case "authenticated":
+      return serverRender(result.session);
+    case "token_expired":
+      if (options.onTokenExpired !== void 0) {
+        return typeof options.onTokenExpired === "function" ? options.onTokenExpired() : options.onTokenExpired;
+      }
+      return serverRender(result.session);
+    case "unauthenticated":
+      if (options.onUnauthenticated !== void 0) {
+        return typeof options.onUnauthenticated === "function" ? options.onUnauthenticated() : options.onUnauthenticated;
+      }
+      throw new Error("Unauthorized: No active session");
+    case "error":
+      if (options.onError !== void 0) {
+        return typeof options.onError === "function" ? options.onError(result.error) : options.onError;
+      }
+      throw new Error(`Unauthorized: ${result.error}`);
+    default:
+      throw new Error("Unknown auth state");
+  }
+}
+function createAuthMiddleware(auth, options = {}) {
+  const { loginUrl = "/login", protectedPaths, publicPaths } = options;
+  return async function middleware(request) {
+    const { pathname } = request.nextUrl;
+    if (publicPaths) {
+      const isPublic = publicPaths.some((pattern) => {
+        if (typeof pattern === "string") {
+          return matchPathPrefix(pathname, pattern);
+        }
+        return pattern.test(pathname);
+      });
+      if (isPublic) {
+        return NextResponse.next();
+      }
+    }
+    if (protectedPaths) {
+      const isProtected = protectedPaths.some((pattern) => {
+        if (typeof pattern === "string") {
+          return matchPathPrefix(pathname, pattern);
+        }
+        return pattern.test(pathname);
+      });
+      if (!isProtected) {
+        return NextResponse.next();
+      }
+    }
+    const session = await auth();
+    if (!session) {
+      const url = new URL(loginUrl, request.url);
+      const returnTo = request.nextUrl.search ? `${pathname}${request.nextUrl.search}` : pathname;
+      url.searchParams.set("returnTo", returnTo);
+      return NextResponse.redirect(url);
+    }
+    if (session.error && session.error !== "TokenExpired") {
+      const url = new URL(loginUrl, request.url);
+      const returnTo = request.nextUrl.search ? `${pathname}${request.nextUrl.search}` : pathname;
+      url.searchParams.set("returnTo", returnTo);
+      url.searchParams.set("error", session.error);
+      return NextResponse.redirect(url);
+    }
+    return NextResponse.next();
+  };
+}
+function withAuth(auth, handler) {
+  return async (...args) => {
+    const session = await auth();
+    if (!session) {
+      throw new Error("Unauthorized: No active session");
+    }
+    if (session.error && session.error !== "TokenExpired") {
+      throw new Error(`Unauthorized: ${session.error}`);
+    }
+    return handler(session, ...args);
+  };
+}
+export {
+  createAuthConfig,
+  createAuthMiddleware,
+  createAuthOptions,
+  createImmutableAuth,
+  createProtectedAuthProps,
+  createProtectedDataFetcher,
+  createProtectedFetchers,
+  getAuthProps,
+  getAuthenticatedData,
+  getValidSession,
+  withAuth,
+  withServerAuth
+};

package/dist/node/refresh.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Check if the access token is expired or about to expire
+ * Returns true if token expires within the buffer time (default 60 seconds)
+ *
+ * @remarks
+ * If accessTokenExpires is not a valid number (undefined, null, NaN),
+ * returns true to trigger a refresh as a safety measure.
+ */
+export declare function isTokenExpired(accessTokenExpires: number, bufferSeconds?: number): boolean;